[magic_haze]

XPrivacy should really come installed by default with Android: the new versions are really quite good (especially with the cloudsourcing and on-demand bits) and really highlight how atrocious most apps are with your personal data. And it is a hell of a lot more effective than relying on companies like Avast to detect and remove bad actors from the market. I've lost track of the number of times random apps (most of whom are just shells around a website) ask permissions for my full phone number, Google and Facebook accounts, contact info etc. for no reason at all. At this point, I'm scared of using Android without the module. (not that ios or windows are any better)

[drdaeman]

Denying permissions breaks most apps (I'd say, 8-9 out of 10 just crash due to unhandled exceptions), so XPrivacy returns fake data (no contacts, no Internet connection, spoofed MAC and IMEI etc.).

But, then, some companies are really upset about spoofing. For example, Swype had serious issues with that to the extent they cried they won't even be able to release their famous keyboard if they weren't be able to get personal data for their analytics. [1] So, CM team decided to not built any spoofing (the only practically working solution to the problem) in.

Dancing bunnies 1 : Security 0

____

[1]: http://www.androidpolice.com/2011/05/25/swype-cyanogenmod-pe...

[magic_haze]

I see where the Swype folks are coming from, but it's a bit like the people who complained against the existence of mailinator.com a decade back. Are they seriously claiming that a company whose entire business is based on making sense of dubious data will completely break down if its analysis service gets some bad inputs? How do they deal with shady manufacturers who return wrong data?

Swype is operating in a marketplace that is full of apps crying wolf and asking for way more permissions than they need, usually for unknown purposes. For example, I like to read The Verge and use its app[1], but it has "read phone status and identity" and "modify or delete the contents of your USB storage" in its manifest, which I'm not comfortable with. There is nothing that explains what they use this information for, how long they store it, and who they share it with. Heck, my desktop browser doesn't give theverge.com this permission and yet the site functions just fine.

Why should I bare my personal data to the whole world just because one developer is too lazy to implement checks on his inputs?

[1] https://play.google.com/store/apps/details?id=com.verge.andr...

[Zigurd]

If you don't handle SecurityException you deserve to lose. Google made revocation of permissions possible, but then hid the capability. They chickened out. Making permissions revocable is one of the best enhancements Google could make to Android.

[drdaeman]

Developers don't really lose anything. A bunch of privacy-caring nerds who don't let spy on them too much? They're a tiny fraction, and even then, they've increased download counter.

If app doesn't handle exceptions, it's the consumers who are at loss. They either lose their privacy or service. Former is worse (in my viewpoint), but still...

(Obviously, losing some dubious malware-ridden "night vision" app is not real loss to begin with, but there are more high-quality apps that are quite disastrous from privacy viewpoint.)

[Zigurd]

Google has, at least, hinted in this direction. Developers should get a clue. Or they will find more junk data in their analytics, as users deploy more spoofing.

[drdaeman]

There's no incentive to get a clue. Typical users will click through anyway. And, well, if you don't get a clue you get a possibility to spy on your users.

Unless Google will start actively penalizing requesting more permissions than absolutely necessary, nothing will change. And, considering all top market players (including Google themselves) are actually interested in analytics and whatever and not interested in end-user's privacy, it's very unlikely scenario.

[judk]

How does Swype make their money? I thought it is a paid app, so why do they need analytics? Are they secretly selling user corpus data?

That post has some really wishy washy handwavy explanations for how IMEI spoofing etc supposedly ruins Swype analytics. I don't buy it.

[fpgeek]

Swype's issues with spoofing date back to before they were a paid app (that only happened last year). At the time, there were only two ways to get Swype:

1. Your device manufacturer paid to include Swype in their default keyboard (no IMEIs requested or desired, AFAIK). That was where they made their money, at the time.

2. You signed up for Swype's beta program, to get a free version of Swype directly from them (which you sideloaded, possibly on multiple devices and/or ROMs). To me, whether or not they "really" needed IMEIs for their statistics is beside the point. Gathering those statistics was the only thing they were getting out of their beta program, so if you didn't like that deal you should just not participate - not spoil it for other people by giving false information.

[kpozin]

The paid version of Swype still collects location information (or at least uses the location API, according to my phone). Paying users of the keyboard would be quite justified in trying to prevent Swype from getting that information.

[jyrkesh]

Yeah, I've been holding back on rooting my Nexus 5 for a while just because I don't want to deal with the full wipe, but this convinced me. Obviously this article is somewhat AV FUD (just don't download the sketchy Spanish night vision app with WRITE_SMS permissions), but it's time I got my permissions in check.

[magic_haze]

The entire store experience is the opposite of what Eric Lippert calls the Pit of Success: literally no one involved in the process is incentivized to protect your data. Developers ask for all the permissions they can get away with because users get confused by multiple warnings, users blindly click accept on everything because they've learnt they can't use the app without that, Google is blindly complicit in all this because for some reason, they think everyone is as interested in/capable of protecting user data as they are... (Or they just don't care.)

[malandrew]

To be honest, the default approach should be making app developers only be allowed to ask for one permission at a time. This would provide a constraint where the developer would ask for permissions they need only when a user tries out a feature in the app that relies on that one permission.

Accessing the address book is another area where permissions could be made much better. No app really needs access to my entire address book. They just need to launch the built in address book and only get the information they need for the one or more contacts you choose from your address book.

[magic_haze]

I agree, but look at the grief Microsoft got when they tried it with Vista's UAC prompts... more permission popups is clearly not what the majority of users want.

I think one solution is having the prompts integrate with the sort of crowdsourcing algorithm that XPrivacy has (e.g., if >90% of users have granted the app permissions on the address book, then don't show the prompt.)

Another important feature is that the app should not know if the user has granted it the permissions it asked for. If the user doesn't want to, the system should just feed the app bogus data and let the user continue interacting with other parts of the app (as we see today, most apps don't really need the data they collect in order to work.)

[revelation]

This isn't the problem with UAC prompts. Their problem is that the user simply doesn't have the information to make any kind of informed decision, since the prompts are at pointless places in the lifetime of a process or give very little information on what is actually going to happen ("Do you want to allow the following program [..] to make changes to this computer?").

Android permissions, on the other hand, are reasonably fine-grained and allow the user to deduce what the app is going to do. If the app wants to send a SMS, how hard is it to popup a modal dialog that shows the target number and asks for the permission right there? That is obviously much better than showing it in one big list along with "internet access" in some nag-screen on the store.

Of course the app should know I didn't grant the permission. The only reason you revert to bogus data is because apps currently crash in horrible ways instead of handling it gracefully, as would be the case if this kind of at-the-spot permissions handling was the default.

[magic_haze]

Showing modal dialogs on every new permission request is how XPrivacy works right now, and while I understand and deal with the process, I can easily see how most people would (rightly) see it as an annoyance. I'm just saying they could easily augment it with their crowdsourced data and reduce the number of prompts, which would mean people will actually pay attention to the prompts when something bad happens.

Re: your second point, you're right, if the on-demand permissions handler were the default, more apps would handle it gracefully. However, it's not, and most apps today crash because they don't handle SecurityException when they call the android APIs. Also, you're assuming developers will act in good faith and will do whatever the users want. I would not be surprised at all if companies like Zynga, if they knew the user didn't give them the permissions, implement all sorts of dark UIs to trick/force the user to give them their data.

Should we not protect users just because they're too trusting with computers to realize what's going on?

[madeofpalk]

> I agree, but look at the grief Microsoft got when they tried it with Vista's UAC prompts... more permission popups is clearly not what the majority of users want.

Counterpoint, iOS appears to have a very successful permissions model in doing exactly this.

* Permissions are asked for one at a time

* Apps are expected to handle rejected permissions, but they're sent dummy data anyway (address book has no contacts, GPS coords is 0,0 etc)

* Permissions can be revoked in Settings.app

[devx]

I guess something like that may work better in a more limited mobile environment where you don't have to do it 20 times an hour, and it's also easier to do it with touch.

[SkyMarshal]

>I agree, but look at the grief Microsoft got when they tried it with Vista's UAC prompts... more permission popups is clearly not what the majority of users want.

Android only asks for those permissions when installing the app, which is not too burdensome. Iirc Vista did UAC popups for almost every user action, which people rightfully rose hell about.

[cturner]

That'd be clicky, but it's on the right lines.

A better way would be to come up with a smart grouping profile for apps that want reasonable common combinations. For example, "Standard application that can access your INTERNET". Give it a nice screen. "Standard application application that can USE YOUR CAMERA and access your INTERNET" would get a big question mark icon.

For any app that wants any weird combination outside the standards, make it opt in like you say - one permission at a time. With each requiring a screaming skull and crossbones.

If you did that, you could integrate more fine-grained permissions into a small number of supported profiles, and developers would be strongly discouraged from choosing anything outside that combination.

[shakethemonkey]

They blindly click on ACCEPT because Google stupidly lists relatively benign permissions ("network access", "read phone state", "vibrate") where they should be only listing severe ones. And the permissions they do list are often poorly explained.

[72deluxe]

I would not say that "network access" is a benign permission. Perhaps checking the state of the network is, but not full network access.

[ars]

BTW rooting doesn't include a full wipe. Unlocking does.

So you can unlock your device when you buy it and not root it till you are ready.

[sizzle]

xprivacy and xposed framework give an insane amount of control back to us end users. I suggest everyone cautious of their private data being taken without permission to look into them for android.